IETF Logo Mail Archive

Re: [kitten] SPAKE and weak checksum types

Greg Hudson <ghudson@mit.edu> Thu, 14 September 2017 04:20 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBCE1330AB for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 21:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUZJB4X2jidC for <kitten@ietfa.amsl.com>; Wed, 13 Sep 2017 21:20:21 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 513101320B5 for <kitten@ietf.org>; Wed, 13 Sep 2017 21:20:21 -0700 (PDT)
X-AuditID: 1209190f-e0bff70000002b7f-a4-59ba038307ec
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 46.61.11135.3830AB95; Thu, 14 Sep 2017 00:20:19 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v8E4KIwY012980; Thu, 14 Sep 2017 00:20:18 -0400
Received: from [18.101.8.221] (VPN-18-101-8-221.MIT.EDU [18.101.8.221]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8E4KFxY005343 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 14 Sep 2017 00:20:17 -0400
To: Benjamin Kaduk <kaduk@mit.edu>
References: <x7defrdz0le.fsf@equal-rites.mit.edu> <A374D6EA-9C58-4A8B-A68F-1CF9DE20669C@oxy.edu> <363e60be-b63d-3be4-dfdb-0f085480a98b@mit.edu> <jlgingn6ezq.fsf@redhat.com> <20170914013625.GO96685@kduck.kaduk.org>
Cc: kitten@ietf.org
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <898b0135-7c9d-078d-c213-faf90c5c0417@mit.edu>
Date: Thu, 14 Sep 2017 00:20:15 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170914013625.GO96685@kduck.kaduk.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrCIsWRmVeSWpSXmKPExsUixCmqrNvMvCvS4ORXC4ujm1exODB6LFny kymAMYrLJiU1J7MstUjfLoErY9XEtYwFDzkqvqydwtTA2MXexcjJISFgInFrzgq2LkYuDiGB xUwSpzf9YIFwNjJKvLzxnBHCOcok8ebGdRaQFmEBY4k9/X/A2kUElCQWn22Bar/NKDF/xyWw BLOAsMTyNWfZQGw2AWWJ9fu3gjXzClhJrLg8jxHEZhFQlZj8Yw5YXFQgQuJh5y52iBpBiZMz n4DFOQVMJfYse8IMMVNPYsf1X6wQtrzE9rdzmCcwCsxC0jILSdksJGULGJlXMcqm5Fbp5iZm 5hSnJusWJyfm5aUW6Zro5WaW6KWmlG5iBAemJP8OxjkN3ocYBTgYlXh4H1jujBRiTSwrrsw9 xCjJwaQkyrtXFyjEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhDf8DVCONyWxsiq1KB8mJc3BoiTO K67RGCEkkJ5YkpqdmlqQWgSTleHgUJLgncC0K1JIsCg1PbUiLTOnBCHNxMEJMpwHaHgkSA1v cUFibnFmOkT+FKOilDjvE0aghABIIqM0D64XnDhSOe6+YhQHekWY9wRIOw8w6cB1vwIazAQ0 +MzpHSCDSxIRUlINjGZLKsxWv/++KvPPp9hmvqRXf8Q9cpVFxMQf2cxpTrco3ftq9eOl20+U HX6tW7Lr1/Q/UblFClpVoYGRxgcvvsm+ayc3O4on2Ks8KHXF6rm7FqwvuDjVf8Jvz57TYuJu OYrS5s2f/phOm8i/S+tby9mANzMVnYIiq678+JzvGcfx26+N03eWkhJLcUaioRZzUXEiADGg 78X3AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZTZdwMmOvU0S8sqB-AnaeKm9frw>
Subject: Re: [kitten] SPAKE and weak checksum types
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 04:20:22 -0000

On 09/13/2017 09:36 PM, Benjamin Kaduk wrote:
>>>> IIUC you are concerned with the case that someone will stand up a kdc
>>>> which will opportunistically use SPAKE, but supports older/weaker
>>>> stuff. By its nature such a beast will be vulnerable to downgrade
>>>> attacks and you can't solve that in SPAKE.
>>>
>>> If the KDC downgrades itself to encrypted timestamp for DES/RC4 keys,
>>> only a passive attack is needed, versus an active attack to downgrade
>>> to encrypted timestamp.
> 
> I must still be foggy from recovering from being sick; could you walk
> me through the passive attack a bit more slowly (or which scenarios are
> being compared)?

The particular scenario I was concerned about here (which should not be
an issue since we appear to have agreement on the text change) was: the
KDC and the client both permit SPAKE and encrypted timestamp.  The KDC
decides not to offer SPAKE because the initial reply key is an RC4 key
and therefore the transcript checksum would use HMAC-MD5.  The passive
attacker can simply dictionary attack the ciphertext from the client (or
the KDC).

v2.23.0 | Report a Bug | By Email